Koa
Monthly
Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. Applications relying on ctx.hostname for routing decisions or generating user-facing URLs are at risk of credential theft, account compromise, and phishing attacks.
Open redirect vulnerability in KoaJS Koa up to version 3.0.0 allows authenticated remote attackers to manipulate the Referrer HTTP header via the back() function in lib/response.js, enabling redirect to arbitrary external URLs with user interaction. The vulnerability has publicly available exploit code and affects the HTTP Header Handler component; EPSS exploitation probability is very low at 0.08% despite public POC availability, suggesting this is primarily a client-side social engineering vector rather than a widely exploitable server-side flaw.
Koa is expressive middleware for Node.js using ES2017 async functions. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Koa is expressive middleware for Node.js using ES2017 async functions. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. Applications relying on ctx.hostname for routing decisions or generating user-facing URLs are at risk of credential theft, account compromise, and phishing attacks.
Open redirect vulnerability in KoaJS Koa up to version 3.0.0 allows authenticated remote attackers to manipulate the Referrer HTTP header via the back() function in lib/response.js, enabling redirect to arbitrary external URLs with user interaction. The vulnerability has publicly available exploit code and affects the HTTP Header Handler component; EPSS exploitation probability is very low at 0.08% despite public POC availability, suggesting this is primarily a client-side social engineering vector rather than a widely exploitable server-side flaw.
Koa is expressive middleware for Node.js using ES2017 async functions. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Koa is expressive middleware for Node.js using ES2017 async functions. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.